Rule: Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
This rule ensures that Application Load Balancer redirects HTTP requests to secure HTTPS for better security.
| Rule | Application Load Balancer should be configured to redirect all HTTP requests to HTTPS |
| Framework | PCI v3.2.1 |
| Severity | ✔ Medium |
Application Load Balancer Configuration Rule for Redirecting HTTP to HTTPS for PCI v3 Compliance
Description:
To comply with PCI v3 standards, it is crucial to ensure that all HTTP requests are automatically redirected to HTTPS. This redirects traffic to a secure connection, encrypting sensitive information and preventing unauthorized access to personal or financial data.
Troubleshooting Steps:
- 1.Ensure that the Application Load Balancer (ALB) is properly configured for HTTP to HTTPS redirection.
- 2.Check if the ALB listener rules are correctly set up to redirect HTTP traffic to HTTPS.
- 3.Verify that the SSL/TLS certificate is properly installed on the ALB.
- 4.Ensure that the security group associated with the ALB allows incoming traffic on both HTTP (port 80) and HTTPS (port 443).
Configuration Steps:
1. Create or Select an Existing Application Load Balancer
- If not already created, follow the documentation provided by your cloud provider to create an Application Load Balancer in your desired region.
2. Configure Listener and Listener Rule
- Go to the ALB configuration page in your cloud provider's management console.
- Select the corresponding ALB or create a new ALB if required.
- Configure the ALB listener to listen on both HTTP (port 80) and HTTPS (port 443).
- Create a new listener rule for the HTTP listener to redirect HTTP traffic to HTTPS.
- For example, for AWS ALB, the rule may look like:
- IF Path IS / THEN Redirect TO https://${host}${path}?${query}
- Save and apply the listener rule changes.
3. Verify SSL/TLS Certificate Installation
- Ensure that a valid SSL/TLS certificate is installed on the ALB.
- If you haven't already obtained one, you can generate a certificate from a trusted Certificate Authority (CA) or use a service like AWS Certificate Manager.
- Upload or associate the certificate with the ALB listener.
- Verify that the certificate is active and not expired.
4. Verify Security Group Configuration
- Confirm that the ALB's associated security group allows incoming traffic on both HTTP (port 80) and HTTPS (port 443).
- Update the security group rules if necessary.
Remediation (CLI Commands):
AWS CLI Commands for Application Load Balancer Configuration:
# Create a new listener rule to redirect HTTP traffic to HTTPS aws elbv2 create-rule --listener-arn <listener-arn-of-http> --priority <priority> --conditions Field=path-pattern,Values='/' --actions Type=redirect,RedirectConfig="{Protocol='HTTPS',Port='443',StatusCode='HTTP_301'}" # Update an existing ALB listener to add a new listener rule aws elbv2 modify-listener --listener-arn <listener-arn> --default-actions Type=forward,TargetGroupArn=<target-group-arn> --certificates CertificateArn=<certificate-arn> # Verify SSL/TLS certificate installation aws acm describe-certificate --certificate-arn <certificate-arn> # Update security group rules to allow HTTP (port 80) and HTTPS (port 443) traffic aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 80 aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 443
Note: Replace
<listener-arn-of-http><priority><listener-arn><target-group-arn><certificate-arn><security-group-id>By following the above steps and executing the necessary CLI commands, you can configure your Application Load Balancer to redirect all HTTP requests to HTTPS, ensuring compliance with the PCI v3 standards.